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APPARATUS AND METHOD FOR INSTALLING A 
DECRYPTION KEY 

BACKGROUND OF THE INVENTION 

I. Field of the Invention 

[0001] The present invention relates to a method and apparatus for installing a 

decryption key. The invention may be usefully employed in the newly emerging field 
of digital cinema. 

II. Description of the Related Art 

[0002] In the traditional film industry, theatre operators receive reels of celluloid film 

from a studio or through a distributor for eventual presentation in a theatre 
auditorium. The reels of film include the feature program (a full-length motion 
picture) and a plurality of previews and other promotional material, often referred to 
as trailers. This approach is well established and is based in technology going back 
around one hundred years. 

[0003] Recently an evolution has started in the film industry, with the industry 

moving from celluloid film to digitized image and audio programs. Many advanced 
technologies are involved and together those technologies are becoming known as 
digital cinema. It is planned that digital cinema will provide a system for delivering 
full length motion pictures, trailers, advertisements and other audio/visual programs 
comprising images and sound at "cinema-quality" to theatres throughout the world 
using digital technology. Digital cinema will enable the motion picture cinema 
industry to convert gracefully from the century-old medium of 35mm film into the 
digital/wireless communication era of today. This advanced technology will benefit 
all segments of the movie industry. 

[0004] The intention is that digital cinema will deliver motion pictures that have been 

digitized, compressed and encrypted to theatres using either physical media 
distribution (such as DVD-ROMs) or electronic transmission methods, such as via 
satellite multicast methods. Authorized theatres will automatically receive the 
digitized programs and store them in hard disk storage while still encrypted and 
compressed. At each showing, the digitized information will be retrieved via a local 
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area network from the hard disk storage, be decrypted, decompressed and then 
displayed using cinema-quahty electronic projectors featuring high quality digital 
sound. 

[0005] Digital cinema will encompass many advanced technologies, including digital 

compression, electronic security methods, network architectures and management, 
transmission technologies and cost-effective hardware, software and integrated circuit 
design. The technologies necessary for a cost-effective, reliable and secure system are 
being analyzed and developed. These technologies include new forms of image 
compression, because most standard compression technologies, such as MPEG- 2, are 
optimized for television quaUty. Thus, artifacts and other distortions associated with 
that technology show up readily when the image is projected on a large screen. 
Whatever the image compression method adopted, it will affect the eventual quality 
of the projected image. Special compression systems have therefore been designed 
specifically for digital cinema applications to provide "cinema-quality" images at bit 
rates averaging less than 40 Mbps. Using this technology a 2-hour movie will require 
only about 40 GB of storage, making it suitable for transportation on such media as 
so-called digital versatile disks (DVDs) or transmission or broadcast via a wireless 
link. 

[0006] While this has obvious advantages in terms of the distribution of movies, it 

brings with it its own problems in that in itself such transportation and transmission is 
not secure. Encryption and conditional access methods are therefore also being 
developed with the aim of preventing piracy of movies. Encryption provides good 
protection against unauthorized access, but only so long as the key to the encryption 
remains secret. If the key is accessible then encryption is of no use at all, because a 
thief will easily be able to decrypt the movie data and thus steal the movie. 
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SUMMARY OF THE INVENTION 

[0007] The invention aims to provide increased security for the encryption key itself, 

so as to reduce the Hkehhood of the key and hence the movie from being stolen. 

[0008] According to one aspect of the invention, there is provided a decryption 

system comprising: a decryption unit for decrypting encrypted program signals using 
a working decryption key; a receiver for receiving signals including encrypted data 
defining the working decryption key; a processor; and an interface providing a first 
path for transferring the encrypted data from the receiver to the processor and 
providing a second path, separate and independent of the first path, for transferring 
data from the processor to the decryption unit; and wherein the processor is 
configured to decrypt the encrypted data using a program key so as to extract the 
working decryption key from the encrypted data, and to output the working 
decryption key for transfer via the second path of the interface to the decryption unit. 

[0009] According to another aspect of the invention there is provided an apparatus for 

decrypting encrypted program signals, the apparatus comprising: receiving means for 
receiving encrypted key signals containing data defining a working decryption key; 
means for transferring the encrypted key signals via a first interface; first means, 
connected to the first interface, for decrypting the encrypted key signals, using a 
program key in a decryption algorithm, to determine the working decryption key; 
means for transferring the working decryption key via a second interface, different 
and operationally separate from the first interface; and second means, connected to 
the second interface, for decrypting the encrypted program signals using the working 
decryption key, and wherein the decryption algorithm is supplied together with the 
program decryption key via the receiving means and is downloaded therefrom to the 
first means for decrypting. 

[0010] According to a further aspect of the invention there is provided an apparatus in 

which, initially, a decryption algorithm received by a control processor is passed via a 
first interface path to a decryption processor where it is installed together with a 
program decryption key extracted there from, and, subsequently, encrypted working 
decryption keys received by the control processor are passed on to the decryption 
processor over the first interface path at which decryption processor they are 
decrypted using the program decryption key to obtain working decryption keys that 
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are then transferred via a second interface path to decryptors for use in decrypting 
encrypted program signals input to the decryptors. 

[001 1] According to another aspect of the invention there is provided a method for 

installing a decryption key, in which, initially, a decryption algorithm received by a 
control processor is passed via a first interface path to a decryption processor where it 
is installed together with a program decryption key extracted therefrom, and, 
subsequently, encrypted working decryption keys received by the control processor 
are passed on to the decryption processor over the first interface path at which 
decryption processor they are decrypted using the program decryption key to obtain 
working decryption keys that are then transferred via a second interface path to 
decryptors for use in decrypting encrypted program signals input to the decryptors. 

[0012] The invention also provides a method for installing a decryption key, the 

method comprising: receiving signals including encrypted data defining a working 
decryption key; transferring the encrypted data over a first path to a processor; 
decrypting the encrypted data at the processor using a program key so as to extract the 
working decryption key from the encrypted data; outputting the working decryption 
key for transfer over a second path, separate and independent of the first path, to a 
decryption unit; and decrypting encrypted program signals in a decryption unit using 
the working decryption key. 

[0013] The invention further provides a method for decrypting encrypted program 

signals, the method comprising: receiving encrypted key signals containing data 
defining a working decryption key; transferring the encrypted key signals via a first 
interface; decrypting the encrypted key signals, using a program key in a decryption 
algorithm, to determine the working decryption key; transferring the working 
decryption key via a second interface, different and operationally separate from the 
first interface; and decrypting the encrypted program signals using the working 
decryption key, and wherein the decryption algorithm is supplied together with the 
program decryption key via the receiving means and is downloaded therefrom to the 
first means for decrypting. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[0014] The above and further features of the invention are set forth with particularity 

in the appended claims and together with advantages thereof will become clearer from 
consideration of the following detailed description of an exemplary embodiment of 
the invention given with reference to the accompanying drawings, in which: 

[0015] Figure 1 illustrates a block diagram of a digital cinema system; 

[0016] Figure 2 is a block diagram of a compressor/encryptor circuit used in the 

system of Figure 1; 

[0017] Figure 3 illustrates an auditorium module used in the system of Figure 1 ; 

[0018] Figure 4 is a block diagram showing part of the auditorium module of Figure 3 

in greater detail; and 

[0019] Figure 5 is a block diagram representing a theater manager and its associated 

interfaces used in the system of Figure 1. 
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DETAILED DESCRIPTION OF AN EMBODIMENT OF THE INVENTION 

[0020] The following description is intended to provide both an overview of a digital 

cinema system in which the invention may be embodied and a detailed disclosure of 
the presently preferred embodiment itself. Systems similar to the system shown herein 
are described extensively in other applications assigned to the assignee of this 
apphcation, including USSN 09/564,174 entitled "Apparatus And Method For 
Encoding And Storage Of Digital Image And Audio Signals" and USSN 09/563,880, 
entitled "Apparatus And Method For Decoding Digital Image And Audio Signals" 
both filed May 3, 2000, the teachings of which are incorporated herein by reference. 

[0021] A digital cinema system 100 embodying the invention is illustrated in Figure 1 

of the accompanying drawings. The digital cinema system 100 comprises two main 
systems: at least one central facility or hub 102 and at least one presentation or theater 
subsystem 104. The hub 102 and the theater subsystem 104 are of a similar design to 
that of pending US Patent Application Serial No. 09/075,152 filed on May 8, 1998, 
assigned to the same assignee as the present invention, the teachings of which are 
incorporated herein by reference. 

[0022] Image and audio information are compressed and stored on a storage medium, 

and distributed from the hub 102 to the theater subsystem 104. Generally, one theater 
subsystem 104 is utilized for each theater or presentation location in a network of 
presentation locations that is to receive image or audio information, and includes 
some centralized equipment as well as certain equipment employed for each 
presentation auditorium. 

[0023] In the central hub 102, a source generator 108 receives film material and 

generates a digital version of the film. The digital information is compressed and 
encrypted by a compressor/encryptor (CE) 112, and stored on a storage medium by a 
hub storage device 116. A network manager 120 monitors and sends control 
information to the source generator 108, the CE 112, and the hub storage device 116. 
A conditional access manager 124 provides specific electronic keying information 
such that only specific theaters are authorized to show specific programs. 

[0024] In the theater subsystem 104, a theater manager 128 controls an auditorium 

module 132. Based on control information received from the auditorium module 132, 
a theater storage device 136 transfers compressed information stored on the storage 
medium to a playback module 140. The playback module 140 receives the 
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compressed information from the theater storage device 136, and prepares the 
compressed information to a predetermined sequence, size and data rate. The 
playback module 140 outputs the compressed information to a decoder 144. The 
decoder 144 inputs compressed information from the playback module 140 and 
performs decryption, decompression and formatting, and outputs the information to a 
projector 148 and a sound module 152. The projector 148 plays the information on a 
projector and the sound module 152 plays sound information on a sound system, both 
under control of the auditorium module 132. 

[0025] In operation, the source generator 108 provides digitized electronic image 

and/or programs to the system. Typically, the source generator 108 receives film 
material and generates a magnetic tape containing digitized information or data. The 
film is digitally scanned at a very high resolution to create the digitized version of the 
motion picture or other program. Typically, a known "telecine" process generates the 
image information while well-known digital audio conversion processing generates 
the audio portion of the program. The images being processed need not be provided 
from a film, but can be single picture or still frame type images, or a series of frames 
or pictures, including those shown as motion pictures of varying length. These images 
can be presented as a series or set to create what are referred to as image programs. In 
addition, other material can be provided such as visual cue tracks for sight-impaired 
audiences, subtitling for foreign language and/or hearing impaired audiences, or 
multimedia time cue tracks. Similarly, single or sets of sounds or recordings are used 
to form desired audio programs. 

[0026] Alternatively, a high definition digital camera or other known digital image 

generation device or method may provide the digitized image information. The use of 
a digital camera, which directly produces the digitized image information, is 
especially useful for hve event capture for substantially immediate or 
contemporaneous distribution. Computer workstations or similar equipment can also 
be used to directly generate graphical images that are to be distributed. 

[0027] The digital image information or program is presented to the 

compressor/encryptor 112, which compresses the digital signal using a preselected 
known format or process, reducing the amount of digital information necessary to 
reproduce the original image with very high quality. Preferably, an ABSDCT 
technique is used to compress the image source. A suitable ABSDCT compression 
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technique is disclosed in U.S. Pat. Nos. 5,021,891, 5,107,345, and 5,452,104, the 
teachings of which are incorporated herein by reference. The audio information may 
also be digitally compressed using standard techniques and may be time synchronized 
with the compressed image information. The compressed image and audio 
information is then encrypted and/or scrambled using one or more secure electronic 
methods. 

[0028] The network manager 120 monitors the status of compressor/encryptor 112, 

and directs the compressed information from the compressor/encryptor 1 12 to the hub 
storage device 116. The hub storage device 116 is comprised of one or more storage 
media (shown in Figure 8). The storage medium/media may be any type of high 
capacity data storage device including, but not limited to, one or more digital versatile 
disks (DVDs) or removable hard drives (RHDs). Upon storage of the compressed 
information onto the storage medium, the storage medium is physically transported to 
the theater subsystem 104, and more specifically, to the theater storage device 136. 

[0029] Alternatively, the compressed image and audio information may each be 

stored in a non-contiguous or separate manner independent of each other. That is, a 
means is provided for compressing and storing audio programs associated with image 
information or programs but segregated in time. There is no requirement to process 
the audio images at the same time. A predefined identifier or identification 
mechanism or scheme is used to associate corresponding audio and image programs 
with each other, as appropriate. This allows linking of one or more preselected audio 
programs with at least one preselected image program, as desired, at a time of 
presentation, or during a presentation event. That is, while not initially time 
synchronized with the compressed image information, the compressed audio is linked 
and synchronized at presentation of the program. 

[0030] Further, maintaining the audio program separate from the image program 

allows for synchronizing multiple languages from audio programs to the image 
program, without having to recreate the image program for each language. Moreover, 
maintaining a separate audio program allows for support of multiple speaker 
configurations without requiring interleaving of multiple audio tracks with the image 
program. 

[0031] In addition to the image program and the audio program, a separate 

promotional program, or promo program, may be added to the system. Typically, 
promotional material changes at a greater frequency than the feature program. Use of 
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a separate promo program allows promotional material to be updated without 
requiring new feature image programs. The promo program comprises information 
such as advertising (slides, audio, motion or the like) and trailers shown in the theater. 
Because of the high storage capacity of storage media such as DVDs and RHDs, 
thousands of slides or pieces of advertising may be stored. The high storage volume 
allows for customization, as specific slides, advertisements or trailers may be shown 
at specific theaters at targeted customers. 
[0032] Although Figure 1 illustrates the compressed information in the storage device 

116 and physically transporting storage medium/media to the theater subsystem 104, 
it should be understood that the compressed information, or portions thereof, may be 
transmitted to the theater storage device 136 using any of a number wireless or wired 
transmission methods. Transmission methods include satellite transmission, well- 
known multi-drop, Internet access nodes, dedicated telephone lines, or point-to-point 
fiber optic networks. 

[0033] A block diagram of the compressor/encryptor 1 12 is illustrated in Figure 2 of 

the accompanying drawings. Similar to the source generator 108, the 
compressor/encryptor 1 12 may be part of the central hub 102 or located in a separate 
facility. For example, the compressor/encryptor 112 may be located with the source 
generator 108 in a film or television production studio. In addition, the compression 
process for either image or audio information or data may be implemented as a 
variable rate process. 

[0034] The compressor/encryptor 112 receives a digital provided by the source 

generator 108. The digital image and audio information may be stored in frame 
buffers (not shown) before further processing. The digital image signal is passed to 
an image compressor 184. In a preferred embodiment, the image compressor 184 
processes a digital image signal using the ABSDCT technique described in the 
abovementioned U.S. Pat. Nos. 5,021,891, 5,107,345, and 5,452,104. 

[0035] In the ABSDCT technique, the color input signal is generally in a YIQ format, 

with Y being the luminance, or brightness, component, and I and Q being the 
chrominance, or color, components. Other formats such as the YUV or RGB formats 
may also be used. Because of the low spatial sensitivity of the eye to color, the 
ABSDCT technique sub-samples the color (I and Q) components by a factor of two in 
each of the horizontal and vertical directions. Accordingly, four luminance 
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components and two chrominance components are used to represent each spatial 
segment of image input. 

[0036] Each of the luminance and chrominance components is passed to a block 

interleaver. Generally, a 16x16 block is presented to the block interleaver, which 
orders the image samples within the 16x16 blocks to produce blocks and composite 
sub-blocks of data for discrete cosine transform (DCT) analysis. The DCT operator is 
one method of converting a time-sampled signal to a frequency representation of the 
same signal. By converting to a frequency representation, the DCT techniques have 
been shown to allow for very high levels of compression, as quantizers can be 
designed to take advantage of the frequency distribution characteristics of an image. 
Preferably, one 16x16 DCT is applied to a first ordering, four 8x8 DCTs are applied 
to a second ordering, 16 4x4 DCTs are applied to a third ordering, and 64 2x2 DCTs 
are applied to a fourth ordering. 

[0037] The DCT operation reduces the spatial redundancy inherent in the image 

source. After the DCT is performed, most of the image signal energy tends to be 
concentrated in a few DCT coefficients. 

[0038] For the 16x16 block and each sub-block, the transformed coefficients are 

analyzed to determine the number of bits required to encode the block or sub-block. 
Then, the block or the combination of sub-blocks, which requires the least number of 
bits to encode, is chosen to represent the image segment. For example, two 8x8 sub- 
blocks, six 4x4 sub-blocks, and eight 2x2 sub-blocks may be chosen to represent the 
image segment. 

[0039] The chosen block or combination of sub-blocks is then properly arranged in 

order. The DCT coefficient values may then undergo further processing such as, but 
not limited to, frequency weighting, quantization, and coding (such as variable length 
coding) using known techniques, in preparation for transmission. The compressed 
image signal is then provided to at least one image encryptor 188. 

[0040] The digital audio signal is generally passed to an audio compressor 192. 

Preferably, the audio compressor 192 processes multi-channel audio information 
using a standard digital audio compression algorithm. The compressed audio signal is 
provided to at least one audio encryptor 196. Alternatively, the audio information 
may be transferred and utilized in an uncompressed, but still digital, format. 

[0041] The image encryptor 192 and the audio encryptor 196 encrypts the 

compressed image and audio signals, respectively, using any of a number of known 
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encryption techniques. The image and audio signals may be encrypted using the same 
or different techniques. In a preferred embodiment, an encryption technique, which 
comprises real-time digital sequence scrambling of both image and audio 
programming, is used. 

[0042] At the image and audio encryptors 192 and 196, the programming material is 

processed by a scrambler/encryptor circuit that uses time-varying electronic keying 
information (typically changed several times per second). The scrambled program 
information can then be stored or transmitted, such as over the air in a wireless link, 
without being decipherable to anyone who does not possess the associated electronic 
keying information used to scramble the program material or digital data. 

[0043] Returning now to Figure 2, in addition to scrambling, the image encryptor 192 

may add a "watermark" or "fingerprint" which is usually digital in nature, to the 
image programming. This involves the insertion of a location specific and/or time 
specific visual identifier into the program sequence. That is, the watermark is 
constructed to indicate the authorized location and time for presentation, for more 
efficiently tracking the source of illicit copying when necessary. The watermark may 
be programmed to appear at frequent, but pseudo-random periods in the playback 
process and would not be visible to the viewing audience. The watermark is 
perceptually unnoticeable during presentation of decompressed image or audio 
information at what is predefined as a normal rate of transfer. However, the 
watermark is detectable when the image or audio information is presented at a rate 
substantially different from that normal rate, such as at a slower "non-real-time" or 
still frame playback rate. If an unauthorized copy of a program is recovered, the 
digital watermark information can be read by authorities, and the theater from which 
the copy was made can be determined. Such a watermark technique may also be 
applied or used to identify the audio programs. 

[0044] The compressed and encrypted image and audio signals are both presented to a 

multiplexer 200. At the multiplexer 200, the image and audio information is 
multiplexed together along with time synchronization information to allow the image 
and audio-streamed information to be played back in a time aligned manner at the 
theater subsystem 104. The multiplexed signal is then processed by a program 
packetizer 204, which packetizes the data to form the program stream. By 
packetizing the data, or forming "data blocks," the program stream may be monitored 
during decompression at the theater subsystem 104 (see Figure 1) for errors in 



11 



000161 



receiving the blocks during decompression. Requests may be made by the theater 
manager 128 of the theater subsystem 104 to acquire data blocks exhibiting errors. 
Accordingly, if errors exist, only small portions of the program need to be replaced, 
instead of an entire program. Requests of small blocks of data may be handled over a 
wired or wireless link. This provides for increased reliability and efficiency. 

[0045] Alternatively, the image and audio portions of a program are treated as 

separate and distinct programs. Thus, instead of using the multiplexer 200 to 
multiplex the image and audio signals, the image signals are separately packetized. In 
this way the image program may be transported exclusive of the audio program, and 
vice versa. As such, the image and audio programs are assembled into combined 
programs only at playback time. This allows for different audio programs to be 
combined with image programs for various reasons, such as varying languages, 
providing post-release updates or program changes, to fit within local community 
standards, and so forth. This ability to flexibly assign audio different multi-track 
programs to image programs is very useful for minimizing costs in altering programs 
already in distribution, and in addressing the larger multi-cultural markets now 
available to the film industry. 

[0046] The compressors 184 and 192, the encryptors 188 and 196, the multiplexer 

200, and the program packetizer 204 may be implemented by a 
compression/encryption module (CEM) controller 208, a software-controlled 
processor programmed to perform the functions described herein. That is, they can be 
configured as generalized function hardware including a variety of programmable 
electronic devices or computers that operate under software or firmware program 
control. They may alternatively be implemented using some other technology, such 
as through an ASIC or through one or more circuit card assemblies, i.e. constructed as 
specialized hardware. 

[0047] The image and audio program stream is sent to the hub storage device 116. 

The CEM controller 208 is primarily responsible for controlling and monitoring the 
entire compressor/encryptor 112. The CEM controller 208 may be implemented by 
programming a general-purpose hardware device or computer to perform the required 
functions, or by using specialized hardware. Network control is provided to CEM 
controller 208 from the network manager 120 (Figure 2) over a hub internal network, 
as described herein. The CEM controller 208 communicates with the compressors 
184 and 192, the encryptors 188 and 196, the multiplexer 200, and the packetizer 204 
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using a known digital interface and controls the operation of these elements. The 
CEM controller 208 may also control and monitor the storage module 116, and the 
data transfer between these devices. 
[0048] The storage device 116 is preferably constructed as one or more RHDs, DVDs 

disks or other high capacity storage medium/media, which in general is of similar 
design as the theater storage device 116 in theater subsystem 104. However, those 
skilled in the art will recognize that in some applications other media may be used 
including but not limited to DVDs (Digital Versatile Disks) or so-called JBODs ("Just 
a Bunch Of Drives"). The storage device 116 receives the compressed and encrypted 
image, audio, and control data from the program packetizer 204 during the 
compression phase. Operation of the storage device 116 is managed by the CEM 
controller 208. 

[0049] Figure 3 of the accompanying drawings illustrates operation of the auditorium 

module 132 using one or more RHDs (removable hard drives) 308. For speed, 
capacity, and convenience reasons, it may be desirable to use more than one RHD 
308a to 308n. When reading data sequentially, some RHDs have a "prefetching" 
feature that anticipates a following read command based upon a recent history of 
conomands. This prefetching feature is useful in that the time required to read 
sequential information off the disk is reduced. However, the time needed to read non- 
sequential information off the disk may be increased if the RHD receives a command 
that is unexpected. In such a case, the prefetching feature of the RHD may cause the 
random access memory of the RHD to be full, thus requiring more time to access the 
information requested. Accordingly, having more than one RHD is beneficial in that 
a sequential stream of data, such as an image program, may be read faster. Further, 
accessing a second set of information on a separate RHD disk, such as audio 
programs, trailers, control information, or advertising, is advantageous in that 
accessing such information on a single RHD is more time consuming. 

[0050] Thus, compressed information is read from one or more RHDs 308 into a 

buffer 284. The FIFO-RAM buffer 284 in the playback module 140 receives the 
portions of compressed information from the storage device 136 at a predetermined 
rate. The FIFO-RAM buffer 284 is of a sufficient capacity such that the decoder 144, 
and subsequently the projector 148, is not overloaded or under-loaded with 
information. Preferably, the FIFO-RAM buffer 284 has a capacity of about 100 to 
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200 MB. Use of the FIFO-RAM buffer 284 is a practical necessity because there may 
be a several second delay when switching from one drive to another. 
[0051] The portions of compressed information is output from the FIFO-RAM buffer 

into a network interface 288, which provides the compressed information to the 
decoder 144. Preferably, the network interface 288 is a fiber channel arbitrated loop 
(FC-AL) interface. Alternatively, although not specifically illustrated, a switch 
network controlled by the theater manager 128 receives the output data from the 
playback module 140 and directs the data to a given decoder 144. Use of the switch 
network allows programs on any given playback module 140 to be transferred to any 
given decoder 144. 

[0052] When a program is to be viewed, the program information is retrieved from 

the storage device 136 and transferred to the auditorium module 132 via the theater 
manager 128. The decoder 144 decrypts the data received from the storage device 
136 using secret key information provided only to authorized theaters, and 
decompresses the stored information using the decompression algorithm which is 
inverse to the compression algorithm used at source generator 108. The decoder 144 
includes a converter (not shown in Figure 3) which converts the decompressed image 
information to an image display format used by the projection system (which may be 
either an analog or digital format) and the image is displayed through an electronic 
projector 148. The audio information is also decompressed and provided to the 
auditorium's sound system 152 for playback with the image program. 

[0053] The decoder 144 processes a compressed/encrypted program to be visually 

projected onto a screen or surface and audibly presented using the sound system 152. 
As shown in Figure 3, the decoder 144 comprises a controlling CPU (central 
processing unit) 312, which controls the decoder. Alternatively, the decoder may be 
controlled via the theater manager 128. The decoder further comprises at least one 
depacketizer 316, a buffer 314, an image decryptor/decompressor 320, and an audio 
decryptor/decompressor 324. The buffer may temporarily store information for the 
depacketizer 316. All of the above-identified units of the decoder 144 may be 
implemented on one or more circuit card assemblies. The circuit card assemblies may 
be installed in a self-contained enclosure that mounts on or adjacent to the projector 
148. Additionally, a cryptographic smart card 328 may be used which interfaces with 
controlling CPU 312 and/or image decryptor/decompressor 320 for transfer and 
storage of unit-specific cryptographic keying information. 
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[0054] The depacketizer 316 identifies and separates the individual control, image, 

and audio packets that arrive from the playback module 140, the CPU 312 and/or the 
theater manager 128. Control packets may be sent to the theater manager 128 while 
the image and audio packets are sent to the image and audio 
decryption/decompression systems 320 and 324, respectively. Read and write 
operations tend to occur in bursts. Therefore, the buffer 314 is used to stream data 
smoothly from the depacketizer 316 to the projection equipment. 

[0055] The theater manager 128 configures, manages the security of, operates, and 

monitors the theater subsystem 104. This includes the external interfaces, image and 
audio decryption/decompression modules 320 and 324, along with projector 148 and 
the sound system module 152. Control information comes from the playback module 
140, the CPU 312, the theater manager system 128, a remote control port, or a local 
control input, such as a control panel on the outside of the auditorium module 132 
housing or chassis. The decoder CPU 312 may also manage the electronic keys 
assigned to each auditorium module 132. Pre-selected electronic cryptographic keys 
assigned to auditorium module 132 are used in conjunction with the electronic 
cryptographic key information that is embedded in the image and audio data to 
decrypt the image and audio information before the decompression process. 
Preferably, the CPU 312 uses a standard microprocessor running embedded in the 
software of each auditorium module 132, as a basic functional or control element. 

[0056] In addition, the CPU 312 is preferably configured to work or communicate 

certain information with theater manager 128 to maintain a history of presentations 
occurring in each auditorium. Information regarding this presentation history is then 
available for transfer to the hub 102 using the return link, or through a transportable 
medium at preselected times. 

[0057] The image decryptor/decompressor 320 takes the image data stream from 

depacketizer 316, performs decryption, adds a watermark and reassembles the original 
image for presentation on the screen. The output of this operation generally provides 
standard analog RGB signals to digital cinema projector 148. Typically, decryption 
and decompression are performed in real-time, allowing for real-time playback of the 
programming material. 

[0058] The image decryptor/decompressor 320 decrypts and decompresses the image 

data stream to reverse the operation performed by the image compressor 184 and the 
image encryptor 188 of the hub 102. Each auditorium module 132 may process and 
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display a different program from other auditorium modules 132 in the same theater 
subsystem 104 or one or more auditorium modules 132 may process and display the 
same program simultaneously. Optionally, the same program may be displayed on 
multiple projectors, the multiple projectors being delayed in time relative to each 
other. 

[0059] Image program data streams undergo dynamic image decompression using an 

inverse ABSDCT algorithm or other image decompression process symmetric to the 
image compression used in the central hub compressor/encryptor 112. If image 
compression is based on the ABSDCT algorithm the decompression process includes 
variable length decoding, inverse frequency weighting, inverse differential quad-tree 
transformation, IDCT, and DCT block combiner deinterleaving. The processing 
elements used for decompression may be implemented in dedicated specialized 
hardware configured for this function such as an ASIC or one or more circuit card 
assemblies. Alternatively, the decompression processing elements may be 
implemented as standard elements or generalized hardware including a variety of 
digital signal processors or programmable electronic devices or computers that 
operate under the control of special function software or firmware programming. 
Multiple ASICs may be implemented to process the image information in parallel to 
support high image data rates. 

[0060] Encryption generally involves digital sequence scrambling or direct encryption 

of the compressed signal. The words "encryption" and "scrambling" are used 
interchangeably and are understood to mean any means of processing digital data 
streams of various sources using any of a number of cryptographic techniques to 
scramble, cover, or directly encrypt said digital streams using sequences generated 
using secret digital values ("keys") in such a way that it is very difficult to recover the 
original data sequence without knowledge of the secret key values. 

[0061] Each image or audio program may use specific electronic keying information 

which is provided, encrypted by presentation-location or theater-specific electronic 
keying information, to theaters or presentation locations authorized to show that 
specific program. The conditional access manager (CAM) 124 handles this function. 
The encrypted working key needed by the auditorium to decrypt the stored 
information is transmitted, or otherwise delivered, to the authorized theaters prior to 
playback of the program. Note that the stored program information may potentially 
be transmitted days or weeks before the authorized showing period begins, and that 
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the encrypted image or audio working key may be transmitted or delivered just before 
the authorized playback period begins. The encrypted working key may also be 
transferred using a low data rate link, or a transportable storage element such as a 
magnetic or optical media disk, a smart card, or other devices having erasable 
memory elements. The encrypted working key may also be provided in such a way as 
to control the period of time for which a specific theater complex or auditorium is 
authorized to show the program. 
[0062] Each theater subsystem 104 that receives an encrypted working key decrypts 

this value using its auditorium specific key, and stores this decrypted working key in a 
memory device or other secured memory. When the program is to be played back, 
the theater or location specific and program specific keying information is used, 
preferably with a symmetric algorithm, that was used in the encryptor 112 in 
preparing the encrypted signal to now descramble/decrypt program information in 
real-time. 

[0063] The decryption processes use previously provided unit-specific and program- 

specific electronic cryptographic key information to decrypt the image and audio 
information. Each theater subsystem 104 is provided with the necessary cryptographic 
key information for all programs authorized to be shown on each auditorium module 
132. Cryptographic keys typically 56 bits or longer are specific to each authorized 
theater manager 128, to each auditorium and to the specific image and/or audio 
program. A time varying key sequence may be used within the image and/or audio 
program. Smart card technology, such as smart card 328, is used to obtain the 
cryptographic keys and to transfer those keys to the signal decryption units. Physical 
and electronic security measures are used to prevent tampering with this key 
information and to detect attempted tampering or compromise. The key is stored in 
such a way that it can be erased in the event of detected tampering attempts. 

[0064] Figure 4 of the accompanying drawings illustrates how the CPU 312 and the 

smart card 328 interact with each other and with other parts of the auditorium module 
132 (shown in Figure 3). As shown in Figure 4, the CPU 312 is connected to receive 
decryption data signals from the central facility (Figure 1) via the theatre manager 128 
(see Figure 3). Although not shown in the drawings, it will be appreciated that the 
decryption data signals need not be delivered to the theatre subsystem 104 via the 
theatre manager 128. The signals may be delivered on a separate medium and input 
to the theatre subsystem 104 via the theatre storage device 136 for example. 
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However, transfer via the theatre manager 128 is preferred because it keeps the 
decryption data signals separate from the video and audio information delivered to the 
theatre subsystem 104 by way of the exemplary removable hard drives (RHDs) 308 
shown in Figure 3. It also enables the decryption data signals to be delivered at a 
specified time, rather than merely some time in advance of when they are needed. 

[0065] The decryption data signals received from the central facility via the theatre 

manager 128 contain a small amount of data for use by the CPU 312. Most of the 
data in the received signals, however, is in encrypted form and, as such, is 
meaningless to the CPU 312. The encrypted data received by the CPU 312 is passed 
via a security interface 350 and a key transfer logic 352 to the smart card 328. 

[0066] The security interface 350 serves to isolate connection between the CPU 312 

and the smart card 328 from connection between the smart card 328 and other 
decryption units in the auditorium module, including the image 
decryptor/decompressor 320 and the audio decryptor/decompressor 324 (see Figure 
3). In this way, the encrypted data is passed from the CPU to the smart card and 
decrypted data is passed from the smart card to the decryption units in the auditorium 
module. Thus, the CPU 312 never has access to the decrypted data, so a prospective 
thief will not be able to gain access to the decrypted data by interrogating the CPU. 

[0067] The key transfer logic 352 enables different smart card technologies, or 

entirely different technologies such as preprogrammed flash memory cards, to be used 
without having to redesign the whole system. For example, a smart card in which 
data is transferred at, say, 3 MHz in both directions on the same line may easily be 
replaced by a different smart card in which data is transferred at, say, 40 MHz in both 
directions on different lines simply by reprogramming the key transfer logic 352. 
Dedicated hardware could, of course, be built into the security interface 350 to 
perform the same function as the key transfer logic, but this would not be so "future 
proof" as using the key transfer logic 352. It also enables the smart card technology 
to be readily changed or replaced in the even of a serious breach of security. 

[0068] The smart card comprises a main processor (not shown) and co-processor 

hardware implementation of a DBS engine (also not shown) and/or other encryption 
techniques. Initially, the smart card contains no data. When the card is inserted into 
the system and/or during initial start up of the system, the CPU 312 is arranged first to 
check for the presence of the smart card and then to download an applet into the smart 
card 328. The applet may be stored in memory (not shown) associated with the CPU 
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but is preferably only delivered to the CPU 312 via the theatre manager 128 when 
required for downloading into the CPU. Delivery of the applet only when required 
has clear security advantages. 

[0069] Once the applet has been correctly downloaded, it begins running on the main 

processor of the smart card 328. The applet includes a routine that causes an initial 
message to be sent to the CPU 312. In this way, the CPU receives confirmation that 
the smart card, which has been installed, is of the correct type (if it is not, then the 
applet may not run properly) and is working properly. 

[0070] During normal operation of the auditorium module 132, decryption keys are 

used by the image decryptor/decompressor 320 and the audio decryptor/decompressor 
324 to decrypt the encrypted image and audio data so that images can be displayed 
and audio broadcast within the auditorium. These decryption keys will be referred to 
in this part of the description as "working keys". 

[0071] The working keys change from time to time. For example, they may be valid 

for the few days that the movie is scheduled to be shown in the auditorium, for one 
showing of a movie, or even for only part of the movie. Each time the working key is 
to be changed, data defining a new working key is delivered to the auditorium module 
via the theatre manager 128 (see Figure 1) or otherwise. In order to protect the new 
working key, the data is delivered in encrypted form and thus a different decryption 
key is required to decrypt the data defining the new working key. This decryption key 
will be referred to herein as a "program key". 

[0072] The applet in the smart card transfers data representing the program key into 

the encryption co-processor hardware of the smart card. The data may be generated 
by the running of the applet or it may be downloaded with the applet before being 
transferred to the co-processor of the smart card. With the program key installed in 
the co-processor, the smart card is able to decrypt incoming data and extract working 
keys therefrom, when required. 

[0073] The encrypted signal from the theatre manager 128 includes data identifying 

the origin of the data, i.e. the central facility 102 (see Figure 1). When the signal has 
been decrypted by the smart card the identifying data is checked to ensure that the 
working key has indeed come from the central facility and not from some other 
source. 

[0074] The encrypted signal containing the working key(s) from the theatre manager 

128 is accompanied by data identifying where the key(s) are to be used. Different 
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working keys are used in the decryption of the image and in the decryption of the 
audio, and it is therefore necessary to know the destination for each working key. The 
location data is processed by the CPU 312. The CPU 312 sends appropriate 
commands to the security interface 350 to ensure that the decrypted working key from 
the smart card is sent to the correct destination. 

[0075] The encrypted signal from the theatre manager 128 is also accompanied by 

data identifying when the decryption unit(s) 320,324 should begin using the newly 
decrypted working key and the period during which the working key is valid. This is 
useful at two levels. Firstly, it enables data for a working key to be sent ahead of 
time, thereby enabling the key to be sent at a time convenient to the central facility. 
Secondly, it facilitates changeover from one working key to another. The amount of 
time that the smart card takes to decrypt the working key is variable. The encrypted 
working key data of necessity, therefore, has to be delivered at least a few frames in 
advance of the time when the new working key will begin to be used. Each video 
frame is individually identified and it is therefore possible to specify down to an 
individual frame when the new working key should start to be used. 

[0076] The data accompanying the encrypted signal is used by the CPU 312 and the 

smart card 328 to supervise transfer of the decrypted working key from the smart card 
via the key transfer logic and security interface to the specified decryption unit(s) 
320,324 at the required time. Once the decrypted working key has been output from 
the smart card 328, the applet causes the smart card to send a "decryption completed" 
message to the CPU 312. This information is added to the above-mentioned 
presentation history maintained by the CPU 312 with the theatre manager 128. 

[0077] Referring back to Figure 1, the decoder chassis 144 includes a fiber channel 

interface 288, the depacketizer 316, the decoder controller or CPU 312, the image 
decryptor/decompressor 320, the audio decryptor/decompressor 324, and the smart 
card 328. The decoder chassis 144 is a secure, self-contained chassis that also houses 
the smart card 328 interface, internal power supply and/or regulation, cooling fans (as 
necessary), a local control panel, and external interfaces. 

[0078] The local control panel (not shown) may use any of various known input 

devices such as a membrane switch flat panel with embedded LED indicators. The 
local control panel typically uses or forms part of a hinged access door to allow entry 
into the chassis interior for service or maintenance. This door has a secure lock to 
prevent unauthorized entry, theft, or tampering of the system. The smart card 328 is 
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installed inside the decoder chassis 144, secured behind the locked front panel. The 
smart card slot is accessible only inside the secured front panel. The RGB signal 
output from the image decryptor/decompressor 320 to the projector 148 is connected 
securely within the decoder chassis 144 in such a way that the RGB signals cannot be 
accessed while the decoder chassis 144 is mounted to the projector housing. Security 
interlocks may be used to prevent operation of the decoder 144 when it is not 
correctly installed to the projector 148. 

[0079] It will be appreciated from the foregoing description that the use of a smart 

card or other removable progranmiable device to decrypt working keys as and when 
they are required and do so that decryption as an operation separate and isolated from 
the rest of the theatre subsystem enables a good level of security to be achieved. The 
CPU 312 in the auditorium 132 never "sees" the working keys in decrypted form and 
so security cannot be breached by interrogation of the CPU. This, together with the 
above-discussed security in the cabinet, provides a secure environment for reception 
decoding and displaying of a movie program. 

[0080] The audio decryptor/decompressor 324 shown in Figure 3 operates in a similar 

manner on the audio data. The audio decryptor/decompressor 324 takes the audio data 
stream from the depacketizer 316, performs decryption, and reassembles the original 
audio for presentation on a theater's speakers or audio sound system 152. The output 
of this operation provides standard line level audio signals to the sound system 152. 

[0081] Similar to the image decryptor/decompressor 320, the audio 

decryptor/decompressor 324 reverses the operation performed by the audio 
compressor 192 and the audio encryptor 196 of the hub 102. Using electronic keys 
from the cryptographic smart card 328 in conjunction with the electronic keys 
embedded in the data stream, the decryptor 324 decrypts the audio information. The 
decrypted audio data is then decompressed. 

[0082] Audio decompression is performed with an algorithm symmetric to that used 

at the central hub 102 for audio compression. Multiple audio channels, if present, are 
decompressed. The number of audio channels is dependent on the multi-phonic 
sound system design of the particular auditorium, or presentation system. Additional 
audio channels may be transmitted from the central hub 102 for enhanced audio 
programming for purposes such as multi-language audio tracks and audio cues for 
sight impaired audiences. The system may also provide additional data tracks 
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synchronized to the image programs for purposes such as multimedia special effects 
tracks, subtitling, and special visual cue tracks for hearing impaired audiences. 
[0083] As discussed earlier, audio and data tracks may be time synchronized to the 

image programs or may be presented asynchronously without direct time 
synchronization. Image programs may consist of single frames (i.e., still images), a 
sequence of single frame still images, or motion image sequences of short or long 
duration. 

[0084] If necessary, the audio channels are provided to an audio delay element, which 

inserts a delay as needed to synchronize the audio with the appropriate image frame. 
Each channel then goes through a digital to analog conversion to provide what are 
known as "line level" outputs to sound system 152. That is, the appropriate analog 
level or format signals are generated from the digital data to drive the appropriate 
sound system. The line level audio outputs typically use standard XLR or AES/EBU 
connectors found in most theater sound systems. 

[0085] The sound system 152 presents the audio portion of a program on the theater's 

speakers. Preferably, the sound system 152 receives up to 12 channels of standard 
format audio signals, either in digital or analog format, from the audio 
decryptor/decompressor 324. 

[0086] Alternatively, the playback module 140 and the decoder 144 may be integrated 

into a single playback-decoder unit 332. Combining the playback module 140 and the 
decoder module 148 results in cost and access time savings in that only a single CPU 
(292 or 312) is needed to serve the functions of both the playback module 140 and the 
decoder 144. Combination of the playback module 140 and the decoder 144 also does 
not require the use of a fiber channel interface 288. 

[0087] If multiple viewing locations are desired, information on any storage device 

136 is configured to transfer compressed information of a single image program to 
different auditoriums with preselected programmable offsets or delays in time relative 
to each other. These preselected programmable offsets are made substantially equal 
to zero or very small when a single image program is to be presented to selected 
multiple auditoriums substantially simultaneously. At other times, these offsets can 
be set anywhere from a few minutes to several hours, depending on the storage 
configuration and capacity, in order to provide very flexible presentation scheduling. 
This allows a theater complex to better address market demands for presentation 
events such as first run films. 
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[0088] The theater manager 128 is illustrated in greater detail in Figure 5 of the 

accompanying drawings. Turning now to Figure 5, the theater manager 128 provides 
operational control and monitoring of the entire presentation or theater subsystem 104 
or one or more auditorium modules 132 within a theater complex. The theater 
manager 128 may also use a program control means or mechanism for creating 
program sets from one or more received individual image and audio programs, which 
are scheduled for presentation on an auditorium system during an authorized interval. 

[0089] The theater manager 128 comprises a theater manager processor 336 and may 

optionally contain at least one modem 340, or other device that interfaces with a 
return link, for sending messages back to central hub 102. The theater manager 128 
may include a visual display element such as a monitor and a user interface device 
such as a keyboard, which may reside in a theater complex manager's office, ticket 
booth, or any other suitable location that is convenient for theater operations. 

[0090] The theater manager processor 336 is generally a standard commercial or 

business grade computer. The theater manager processor 336 communicates with the 
network manager 120 and conditional access manager 124 (see Figure 1). 
Preferably, the modem 340 is used to communicate with the central hub 102. The 
modem 340 is generally a standard phone line modem that resides in or is connected 
to the processor, and connects to a standard two-wire telephone line to communicate 
back to the central hub 102. Alternatively, communications between the theater 
manager processor 336 and the central hub 102 may be sent using other low data rate 
communications methods such as Internet, private or public data networking, 
wireless, or satellite conmiunication systems. For these alternatives, the modem 340 is 
configured to provide the appropriate interface structure. 

[0091] The theater manager 128 allows each auditorium module 132 to communicate 

with each storage device 136. A theater management module interface may include a 
buffer memory such that information bursts may be transferred at high data rates from 
the theater storage device 136 using the theater manager interface 126 and processed 
at slower rates by other elements of the auditorium module 132. 

[0092] Information communicated between the theater manager 128 and the network 

manager 120 and/or the conditional access manager 124 include requests for 
retransmission of portions of information received by the theater subsystem 104 that 
exhibiting uncorrectable bit errors, monitor and control information, operations 
reports and alarms, and cryptographic keying information. Messages communicated 
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may be cryptographically protected to provide eavesdropping type security and/or 
verification and authentication. 
[0093] The theater manager 128 may be configured to provide fully automatic 

operation of the presentation system, including control of the playback/display, 
security, and network management functions. The theater manager 128 may also 
provide control of peripheral theater functions such as ticket reservations and sales, 
concession operations, and environmental control. Alternatively, manual intervention 
may be used to supplement control of some of the theater operations. The theater 
manager 128 may also interface with certain existing control automation systems in 
the theater complex for control or adjustment of these functions. The system to be 
used will depend on the available technology and the needs of the particular theater, 
as would be known. 

[0094] Through either control of theater manager 128 or the network manager 120, 

the invention generally supports simultaneous playback and display of recorded 
progranraiing on multiple display projectors. Furthermore, under control of theater 
manager 128 or the network manager 120, authorization of a program for playback 
multiple times can often be done even though theater subsystem 104 only needs to 
receive the programming once. Security management may control the period of time 
and/or the number of playbacks that are allowed for each program. 

[0095] Through automated control of the theater manager 128 by the network 

management module 112, a means is provided for automatically storing, and 
presenting programs. In addition, there is the ability to control certain preselected 
network operations from a location remote from the central facility using a control 
element. For example, a television or film studio could automate and control the 
distribution of films or other presentations from a central location, such as a studio 
office, and make almost immediate changes to presentations to account for rapid 
changes in market demand, or reaction to presentations, or for other reason 
understood in the art. 

[0096] The theater subsystem 104 may be connected with the auditorium module 132 

using a theater interface network (not shown). The theater interface network 
comprises a local area network (electric or optical) which provides for local routing of 
programming at the theater subsystem 104. The programs are stored in each storage 
device 136 and are routed through the theater interface network to one or more of the 
auditorium system(s) 132 of the theater subsystem 104. The theater interface network 
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126 may be implemented using any of a number of standard local area network 
architectures which exhibit adequate data transfer rates, connectivity, and reliability 
such as arbitrated loop, switched, or hub-oriented networks. 

[0097] Each storage device 136, as shown in Figure 1, provides for local storage of 

the programming material that it is authorized to playback and display. The storage 
system may be centralized at each theater system. In this case the theater storage 
device 136 allows the theater subsystem 104 to create presentation events in one or 
more auditoriums and may be shared across several auditoriums at one time. 
Depending upon capacity, the theater storage device 136 may store several programs 
at a time. The theater storage device 136 may be connected using a local area 
network in such a way that any program may be played back and presented on any 
authorized presentation system (i.e., projector). Also, the same program may be 
simultaneously played back on two or more presentation systems. 

[0098] Having thus described the invention by reference to a preferred embodiment it 

is to be well understood that the embodiment in question is exemplary only and that 
modifications and variations such as will occur to those possessed of appropriate 
knowledge and skills may be made without departure from the spirit and scope of the 
invention as set forth in the appended claims and equivalents thereof. 

[0099] What we claim as our invention is: 
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